The site haveibeenpwned.com lists (for everyone to see) addresses that have appeared in hacks, as well as all passwords that have appeared, but not together for security reasons.
There are also similar services in the academic environment:
Hasso Platter Institute/University of Potsdam
identity leak checker/Uni Bonn.
If an address is listed there, it does not mean that you have done anything
wrong, but only that a provider where you have deposited your email
address (e. g. as username or as contact address) has been
"hacked" - this can sometimes be some time ago. It may even be that
another person has entered your address, e. g. as a username.
Pwned was created by a typo from owned and stands here for
"caught".
If we get to know about new entries in this database (we get infos about the
domains @sbox.tugraz.at, @student.tugraz.at and
@tugraz.at), we inform (semi-automatically) the affected users.
What to do?
|
If no password was affected by the hack or you do not use the TUGRAZonline password on other services or have already changed the TUGRAZonline password anyway, then at least the account at TU Graz should not be at risk, but there may be other consequences.
Example: Here you can see that a ZID employee address (1) was affected (2) in a Dropbox hack in 2012 (3) and a LinkedIn hack in 2016 (4) and that unfortunately i passwords were affected (5):
This now means that the affected employee in Dropbox and LinkedIn should
now urgently change the respective password - if he has not done so after
2012 or 2016, respectively. If your address appears under "Anti Public Combo List" (December 2016) or "Onliner Spambot" (August 2017) or "Exploit.In" (end of 2016), then unfortunately it is unknown which service exactly is affected. Don't forget to search the non-public breaches as well:
|
In general, even for services where this is not enforced, you should
change your password regularly and you should never use the
same password for different services!
For services where you do not want it to be known that you are a customer,
it is also advisable to use an email address that does not allow any inference
to your name or your employer.